CN112291269B - Cloud desktop authentication method and device, electronic equipment and readable storage medium - Google Patents

Cloud desktop authentication method and device, electronic equipment and readable storage medium Download PDF

Info

Publication number
CN112291269B
CN112291269B CN202011373093.4A CN202011373093A CN112291269B CN 112291269 B CN112291269 B CN 112291269B CN 202011373093 A CN202011373093 A CN 202011373093A CN 112291269 B CN112291269 B CN 112291269B
Authority
CN
China
Prior art keywords
authentication
identity
cloud desktop
binding information
virtual machine
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011373093.4A
Other languages
Chinese (zh)
Other versions
CN112291269A (en
Inventor
黄容生
刘增才
支志军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CSG Electric Power Research Institute
Original Assignee
CSG Electric Power Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CSG Electric Power Research Institute filed Critical CSG Electric Power Research Institute
Priority to CN202011373093.4A priority Critical patent/CN112291269B/en
Publication of CN112291269A publication Critical patent/CN112291269A/en
Application granted granted Critical
Publication of CN112291269B publication Critical patent/CN112291269B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/08Protocols specially adapted for terminal emulation, e.g. Telnet
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]

Abstract

The invention discloses a cloud desktop authentication method, a cloud desktop authentication device, electronic equipment and a readable storage medium, and aims to solve the technical problems that an existing cloud desktop authentication method needs to be subjected to 2-time duplicate authentication of a cloud desktop authentication system and a virtual machine operating system, account passwords need to be input for at least 2 times, and user experience is poor. The invention includes: when the cloud desktop is logged in, firstly, user identity information is authenticated, so that binding information is sent to the cloud desktop authentication gateway, and the cloud desktop authentication gateway adopts the binding information to perform domain authentication; after passing the domain authentication, the cloud desktop sends the virtual machine information to the thin terminal, so that the thin terminal can send an identity token to the virtual machine, the virtual machine can perform identity authentication through the identity token to acquire binding information, and the domain authentication is performed through the binding information. The domain authentication can be performed on the virtual machine without inputting login information by a user, the operation is simple, and the user experience is high.

Description

Cloud desktop authentication method and device, electronic equipment and readable storage medium
Technical Field
The invention relates to the technical field of cloud desktop authentication, in particular to a cloud desktop authentication method and device, electronic equipment and a readable storage medium.
Background
The cloud desktop is also called desktop virtualization and cloud computer, and is a new mode for replacing the traditional computer; after the cloud desktop is adopted, a user does not need to purchase a computer host, all components such as a CPU (central processing unit), a memory, a hard disk and the like contained in the computer host are virtualized in a server at the back end, and 1-50 different virtual computers can be virtualized by a single high-performance server; the main stream of the front-end equipment is that a thin client (equipment similar to a television set-top box) is connected with a display and a keyboard and mouse, and a user accesses a virtual machine host on a back-end server through a special communication protocol after installing a client to realize interactive operation, so that the experience effect consistent with that of a computer is achieved; meanwhile, the cloud desktop not only supports replacement of a traditional computer, but also supports access of other intelligent devices such as a mobile phone and a tablet computer on the internet, and is also the latest solution of mobile office.
The existing cloud desktop identity authentication generally adopts a domain account number for authentication, the cloud desktop identity authentication system and the virtual machine operating system 2-time duplicate identity authentication are required to be performed, account number passwords are required to be input for at least 2 times, and the user experience is poor. In addition, in the verification process, identity authentication of the cloud desktop identity authentication system server is lacked, and the security risk that the identity authentication system server is impersonated exists.
Disclosure of Invention
The invention provides a cloud desktop authentication method, a cloud desktop authentication device, electronic equipment and a readable storage medium, and aims to solve the technical problems that an existing cloud desktop authentication method needs to be subjected to 2-time duplicate authentication of a cloud desktop authentication system and a virtual machine operating system, account passwords need to be input for at least 2 times, and user experience is poor.
The invention provides a cloud desktop authentication method, which relates to a thin terminal, an identity authentication system, a virtual machine, a cloud desktop authentication gateway and a domain control server; the thin terminal has an identity token; the method comprises the following steps:
when a user logs in a cloud desktop, the identity authentication system receives an authentication request sent by the thin terminal;
the identity authentication system sends binding information corresponding to the authentication request to the cloud desktop authentication gateway based on the authentication request; the binding information comprises a user data certificate and a domain account;
the cloud desktop authentication gateway sends the binding information to the domain control server for domain authentication;
when the authentication is passed, the cloud desktop authentication gateway acquires the virtual machine information corresponding to the binding information and sends the virtual machine information to the thin terminal; the thin terminal is used for sending the identity token to the virtual machine based on the virtual machine information;
the identity authentication system receives the identity token sent by the virtual machine, authenticates the identity token, and sends the binding information to the virtual machine when the authentication is passed;
and the virtual machine sends the binding information to the domain control server for domain authentication, and when the authentication is passed, an authentication result is returned to the thin terminal.
Optionally, the authentication request carries user identity information; the identity authentication system sends binding information corresponding to the authentication request to the cloud desktop authentication gateway based on the authentication request, and the step comprises the following steps:
and the identity authentication system responds to the authentication request, performs identity authentication on the user identity information, and sends binding information corresponding to the user identity information to the cloud desktop authentication gateway when the authentication is passed.
Optionally, the identity authentication system includes an authentication gateway and an authentication center; the identity authentication system responds to the authentication request, performs identity authentication on the user identity information, and sends binding information corresponding to the user identity information to the cloud desktop authentication gateway when the authentication is passed, wherein the step comprises the following steps:
the identity authentication system carries out identity authentication on the user identity information through the authentication gateway;
and when the authentication is passed, acquiring binding information corresponding to the user identity information from the authentication center through the authentication gateway, and sending the binding information to the cloud desktop authentication gateway.
Optionally, the method further comprises:
and the thin terminal receives an authentication gateway digital certificate returned by the identity authentication system based on the authentication request and carries out validity authentication on the authentication gateway digital certificate.
The invention also provides a cloud desktop authentication device, which relates to the thin terminal, the identity authentication system, the virtual machine, the cloud desktop authentication gateway and the domain control server; the thin terminal has an identity token; the identity authentication system includes:
the authentication request receiving module is used for receiving an authentication request sent by the thin terminal when a user logs in a cloud desktop;
the first binding information sending module is used for sending binding information corresponding to the authentication request to the cloud desktop authentication gateway based on the authentication request; the binding information comprises a user data certificate and a domain account;
the identity token authentication module is used for receiving the identity token sent by the virtual machine, authenticating the identity token, and sending the binding information to the virtual machine when the authentication is passed;
the cloud desktop authentication gateway comprises:
the second binding information sending module is used for sending the binding information to the domain control server for domain authentication;
the virtual machine information sending module is used for acquiring the virtual machine information corresponding to the binding information and sending the virtual machine information to the thin terminal when the authentication is passed; the thin terminal is used for sending the identity token to the virtual machine based on the virtual machine information;
the virtual machine includes:
and the third binding information sending module is used for sending the binding information to the domain control server for domain authentication, and returning an authentication result to the thin terminal when the authentication is passed.
Optionally, the authentication request carries user identity information; the first binding information sending module includes:
and the first binding information sending submodule is used for responding to the authentication request, performing identity authentication on the user identity information, and sending the binding information corresponding to the user identity information to the cloud desktop authentication gateway when the authentication is passed.
Optionally, the identity authentication system includes an authentication gateway and an authentication center; the first binding information sending submodule includes:
the identity authentication unit is used for the identity authentication system to perform identity authentication on the user identity information through the authentication gateway;
and the first binding information sending unit is used for acquiring binding information corresponding to the user identity information from the authentication center through the authentication gateway when the authentication is passed, and sending the binding information to the cloud desktop authentication gateway.
Optionally, the method further comprises:
and the legality authentication module is used for receiving the authentication gateway digital certificate returned by the identity authentication system based on the authentication request and carrying out legality authentication on the authentication gateway digital certificate by the thin terminal.
The invention further provides an electronic device, which includes a memory and a processor, wherein the memory stores a computer program, and when the computer program is executed by the processor, the processor executes the steps of the cloud desktop authentication method as described in any one of the above.
The invention also provides a computer-readable storage medium on which a computer program is stored, which, when executed by the processor, implements the cloud desktop authentication method as described in any one of the above.
According to the technical scheme, the invention has the following advantages: when the cloud desktop login is carried out, the identity information of the user is authenticated firstly, so that the binding information is sent to the cloud desktop authentication gateway, and the cloud desktop authentication gateway carries out domain authentication by adopting the binding information; after the domain authentication is passed, the cloud desktop sends virtual machine information to the thin terminal, so that the thin terminal can send an identity token to the virtual machine, the virtual machine can perform identity authentication through the identity token to obtain binding information, and domain authentication is performed through the binding information. The domain authentication can be performed on the virtual machine without inputting login information by a user, the operation is simple, and the user experience is high.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without inventive exercise.
Fig. 1 is a flowchart illustrating steps of a cloud desktop authentication method according to an embodiment of the present invention;
fig. 2 is a schematic process diagram of a cloud desktop authentication method according to an embodiment of the present invention;
fig. 3 is a block diagram of a cloud desktop authentication apparatus according to an embodiment of the present invention.
Detailed Description
The embodiment of the invention provides a cloud desktop authentication method and device, electronic equipment and a readable storage medium, and aims to solve the technical problems that an existing cloud desktop authentication method needs to be subjected to 2-time duplicate authentication by a cloud desktop authentication system and a virtual machine operating system, account passwords need to be input for at least 2 times, and user experience is poor.
In order to make the objects, features and advantages of the present invention more obvious and understandable, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the embodiments described below are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
Referring to fig. 1, fig. 1 is a flowchart illustrating steps of a cloud desktop authentication method according to an embodiment of the present invention.
The invention provides a cloud desktop authentication method, which relates to a thin terminal, an identity authentication system, a virtual machine, a cloud desktop authentication gateway and a domain control server; the thin terminal has an identity token; the method comprises the following steps:
step 101, when a user logs in on a cloud desktop, an identity authentication system receives an authentication request sent by a thin terminal;
the cloud desktop is also called desktop virtualization and cloud computer, and is a new mode for replacing the traditional computer; after the cloud desktop is adopted, a user does not need to purchase a computer host, all components such as a CPU (central processing unit), a memory, a hard disk and the like contained in the computer host are virtualized in a server at the back end, and 1-50 different virtual computers can be virtualized by a single high-performance server; the main stream of the front-end equipment is that a thin client (equipment similar to a television set-top box) is connected with a display and a keyboard and mouse, and a user accesses a virtual machine host on a back-end server through a special communication protocol after installing a client to realize interactive operation, so that the experience effect consistent with that of a computer is achieved; meanwhile, the cloud desktop not only supports the replacement of a traditional computer, but also supports other intelligent devices such as a mobile phone and a tablet to access the Internet, and is also the latest solution of mobile office.
In the embodiment of the invention, a cryptographic algorithm digital certificate resource pool is required to be established, and a cryptographic algorithm digital certificate is distributed to each user and stored in a cryptographic key. The digital certificate comprises a group of cryptographic algorithm public keys and private keys, and is in one-to-one binding with the user domain account number.
A user can log in a cloud desktop through a thin terminal through a password key; in the process of logging in the cloud desktop, the cloud desktop needs to be authenticated and an authentication request is sent to an authentication gateway so as to perform identity verification on a user.
Step 102, the identity authentication system responds to the authentication request and sends binding information corresponding to the authentication request to the cloud desktop authentication gateway; the binding information comprises a user data certificate and a domain account;
and after receiving the authentication request, the identity authentication system can respond to the authentication request, perform identity authentication on the user, and send binding information containing a user data certificate and a domain account to the cloud desktop authentication gateway when the authentication is passed.
In one example, the authentication request carries user identity information, the identity authentication system can verify the user identity information, specifically, the user identity information can be matched with the user identity information stored in the identity authentication system, if the matching is successful, the identity authentication is passed, and the corresponding user digital certificate and domain account binding information are acquired through the user identity information and sent to the cloud desktop authentication gateway, so that the cloud desktop authentication gateway can perform domain authentication based on the binding information.
Further, the identity authentication system can comprise an authentication gateway and an authentication center, the identity authentication system can perform identity authentication on the user identity information through the authentication gateway, when the authentication passes, a user digital certificate and domain account binding information corresponding to the user identity information can be obtained from the authentication center through the authentication gateway, and the user digital certificate and the domain account binding information are sent to the cloud desktop gateway, so that the cloud desktop authentication gateway can perform domain authentication based on the binding information.
In the embodiment of the invention, when the thin terminal sends the authentication request to the identity authentication system, the authentication gateway digital certificate returned by the identity authentication system based on the authentication request can be received, so that the legitimacy authentication of the authentication gateway digital certificate is carried out.
Specifically, an authentication client is deployed on the thin terminal, the digital certificate carries an authentication address and an authentication mode of an authentication center, and after receiving the digital certificate of the authentication gateway, the authentication client can apply for verification to the authentication center according to an authentication flow of an asymmetric encryption algorithm through the authentication address and the authentication mode carried in the digital certificate and obtain a verification result.
According to the embodiment of the invention, the login information of the thin terminal is verified through the authentication gateway, and meanwhile, the authentication client on the thin terminal carries out validity authentication on the authentication gateway, so that whether the authentication gateway is falsely used or not can be effectively detected, and the risk of information leakage is avoided.
103, the cloud desktop authentication gateway sends the binding information to a domain control server for domain authentication;
in the embodiment of the invention, after receiving the binding information of the user digital certificate and the domain account, the cloud desktop authentication gateway can send the binding information of the user digital certificate and the domain account to the domain control server for domain authentication, thereby completing the identity authentication of the cloud desktop authentication gateway.
Step 104, when the authentication is passed, the cloud desktop authentication gateway acquires virtual machine information corresponding to the binding information and sends the virtual machine information to the thin terminal; the thin terminal is used for sending the identity token to the virtual machine based on the virtual machine information;
in the embodiment of the invention, after the domain control server authenticates the user digital certificate and the domain account number sent by the cloud desktop authentication gateway, the virtual machine information can be obtained and sent to the thin terminal, so that the thin terminal can establish the connection of the virtual machine corresponding to the virtual machine information, and the thin terminal can send the identity token to the virtual machine. By the method, the user does not need to input the login information again, and the operation is simpler and more convenient.
Step 105, the identity authentication system receives the identity token sent by the virtual machine, authenticates the identity token, and sends binding information to the virtual machine when the authentication is passed;
and step 106, the virtual machine sends the binding information to the domain control server for domain authentication, and returns an authentication result to the thin terminal.
In the embodiment of the invention, after receiving the identity token, the virtual machine can send the identity token to an authentication center of the identity authentication system for identity authentication, and after the authentication is passed, the identity authentication system sends the user digital certificate and the domain account binding information to the virtual machine, so that the virtual machine can send the user digital certificate and the domain account binding information to the domain control server for domain authentication. And after receiving the binding information of the user digital certificate and the domain account, the domain control server checks the user account and the password, if the user account and the password are correct, the verification is passed, a verification passing result is returned to the terminal, and the user successfully logs in the virtual machine operating system to complete identity authentication.
When the cloud desktop login is carried out, the identity information of the user is authenticated firstly, so that the binding information is sent to the cloud desktop authentication gateway, and the cloud desktop authentication gateway carries out domain authentication by adopting the binding information; after passing the domain authentication, the cloud desktop sends the virtual machine information to the thin terminal, so that the thin terminal can send an identity token to the virtual machine, the virtual machine can perform identity authentication through the identity token to acquire binding information, and the domain authentication is performed through the binding information. The domain authentication can be performed on the virtual machine without inputting login information by a user, the operation is simple, and the user experience is high.
For ease of understanding, the following description of embodiments of the present invention by way of specific examples is provided:
referring to fig. 2, fig. 2 is a schematic process diagram of a cloud desktop authentication method according to an embodiment of the present invention;
before identity authentication, the following preliminary work needs to be completed:
and establishing a cryptographic algorithm digital certificate resource pool, distributing a cryptographic algorithm digital certificate for each user, and storing the cryptographic algorithm digital certificate in a cryptographic key, wherein the digital certificate comprises a set of cryptographic algorithm public keys and private keys and is in one-to-one binding with the user domain account number.
And distributing and installing a password algorithm password card for the authentication gateway, wherein the password card contains a unique digital certificate.
And installing a safety client on the thin terminal and the virtual machine operating system to replace the operating system login component.
The specific identity authentication process is as follows:
1. a user logs in on the thin terminal by using a password key, an authentication request is sent to an authentication gateway, and meanwhile an authentication client on the thin terminal carries out authority verification on an authentication gateway digital certificate to confirm the legality of the authentication gateway;
2. after the authentication gateway verifies the user identity, applying for the binding information of the user digital certificate and the domain account number to an authentication center;
3. the authentication gateway sends the binding information of the user digital certificate and the domain account number to a cloud desktop authentication gateway;
4. after receiving the user digital certificate and the domain account binding information, the cloud desktop authentication gateway sends the user digital certificate and the domain account binding information to a domain control server for domain authentication;
5. after the domain control server passes the authentication, the cloud desktop authentication gateway is informed that the authentication is passed, and the cloud desktop authentication gateway returns the virtual machine information to the thin terminal;
6. the thin terminal transmits the identity token to the virtual machine through the customized pipeline, so that an authentication client installed on the virtual machine obtains the identity token;
7. the authentication client on the virtual machine sends the identity token to an authentication center for identity verification to obtain a user digital certificate and domain account binding information;
8. and the authentication client on the virtual machine sends the user digital certificate and the domain account binding information to the domain control server for domain authentication, and after the authentication is passed, the user successfully logs in the virtual machine operating system to complete the final identity authentication.
Referring to fig. 3, fig. 3 is a block diagram of a cloud desktop authentication apparatus according to an embodiment of the present invention.
The invention provides a cloud desktop authentication device, which relates to a thin terminal, an identity authentication system, a virtual machine, a cloud desktop authentication gateway and a domain control server; the thin terminal has an identity token; the identity authentication system includes:
the authentication request receiving module 301 is configured to receive an authentication request sent by a thin terminal when a user performs cloud desktop login;
a first binding information sending module 302, configured to send binding information corresponding to the authentication request to the cloud desktop authentication gateway based on the authentication request; the binding information comprises a user data certificate and a domain account;
the identity token authentication module 303 is configured to receive an identity token sent by the virtual machine, authenticate the identity token, and send binding information to the virtual machine when the authentication is passed;
the cloud desktop authentication gateway comprises:
a second binding information sending module 304, configured to send the binding information to a domain control server for domain authentication;
the virtual machine information sending module 305 is configured to, when the authentication passes, obtain virtual machine information corresponding to the binding information, and send the virtual machine information to the thin terminal; the thin terminal is used for sending the identity token to the virtual machine based on the virtual machine information;
the virtual machine includes:
and a third binding information sending module 306, configured to send the binding information to the domain control server for domain authentication, and when the authentication passes, return an authentication result to the thin terminal.
Optionally, the authentication request carries user identity information; the first binding information sending module 302 includes:
and the first binding information sending submodule is used for responding to the authentication request, performing identity authentication on the user identity information, and sending the binding information corresponding to the user identity information to the cloud desktop authentication gateway when the authentication is passed.
Optionally, the identity authentication system includes an authentication gateway and an authentication center; the first binding information sending submodule includes:
the identity authentication unit is used for the identity authentication system to authenticate the identity of the user through the authentication gateway;
and the first binding information sending unit is used for acquiring binding information corresponding to the user identity information from the authentication center through the authentication gateway when the authentication is passed, and sending the binding information to the cloud desktop authentication gateway.
Optionally, the thin terminal includes:
and the validity authentication module is used for receiving the authentication gateway digital certificate returned by the identity authentication system based on the authentication request and carrying out validity authentication on the authentication gateway digital certificate.
The invention further provides an electronic device, which includes a memory and a processor, wherein the memory stores a computer program, and when the computer program is executed by the processor, the processor executes the steps of the cloud desktop authentication method provided by any embodiment of the invention.
The invention further provides a computer-readable storage medium on which a computer program is stored, the computer program, when executed by a processor, implementing the cloud desktop authentication method as provided in any embodiment of the invention.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. A cloud desktop authentication method is characterized by comprising a thin terminal, an identity authentication system, a virtual machine, a cloud desktop authentication gateway and a domain control server; the thin terminal has an identity token; the method comprises the following steps:
when a user logs in a cloud desktop, the identity authentication system receives an authentication request sent by the thin terminal;
the identity authentication system sends binding information corresponding to the authentication request to the cloud desktop authentication gateway based on the authentication request; the binding information comprises a user data certificate and a domain account;
the cloud desktop authentication gateway sends the binding information to the domain control server for domain authentication;
when the domain authentication is passed, the cloud desktop authentication gateway acquires the virtual machine information corresponding to the binding information and sends the virtual machine information to the thin terminal; the thin terminal is used for sending the identity token to the virtual machine based on the virtual machine information;
the identity authentication system receives the identity token sent by the virtual machine, authenticates the identity token, and sends the binding information to the virtual machine when the authentication is passed;
and the virtual machine sends the binding information to the domain control server for domain authentication, and when the authentication is passed, an authentication result is returned to the thin terminal.
2. The method according to claim 1, wherein the authentication request carries user identity information; the identity authentication system sends binding information corresponding to the authentication request to the cloud desktop authentication gateway based on the authentication request, and the step comprises the following steps:
and the identity authentication system responds to the authentication request, performs identity authentication on the user identity information, and sends binding information corresponding to the user identity information to the cloud desktop authentication gateway when the authentication is passed.
3. The method of claim 2, wherein the identity authentication system comprises an authentication gateway and an authentication center; the identity authentication system responds to the authentication request, performs identity authentication on the user identity information, and sends binding information corresponding to the user identity information to the cloud desktop authentication gateway when the authentication is passed, wherein the step comprises the following steps:
the identity authentication system carries out identity authentication on the user identity information through the authentication gateway;
and when the authentication is passed, acquiring binding information corresponding to the user identity information from the authentication center through the authentication gateway, and sending the binding information to the cloud desktop authentication gateway.
4. The method of claim 1, further comprising:
and the thin terminal receives an authentication gateway digital certificate returned by the identity authentication system based on the authentication request and carries out validity authentication on the authentication gateway digital certificate.
5. A cloud desktop authentication device is characterized by relating to a thin terminal, an identity authentication system, a virtual machine, a cloud desktop authentication gateway and a domain control server; the thin terminal has an identity token; the identity authentication system includes:
the authentication request receiving module is used for receiving an authentication request sent by the thin terminal when a user logs in a cloud desktop;
the first binding information sending module is used for sending binding information corresponding to the authentication request to the cloud desktop authentication gateway based on the authentication request; the binding information comprises a user data certificate and a domain account;
the identity token authentication module is used for receiving the identity token sent by the virtual machine, authenticating the identity token, and sending the binding information to the virtual machine when the authentication is passed;
the cloud desktop authentication gateway comprises:
the second binding information sending module is used for sending the binding information to the domain control server for domain authentication;
the virtual machine information sending module is used for acquiring the virtual machine information corresponding to the binding information and sending the virtual machine information to the thin terminal when the domain authentication is passed; the thin terminal is used for sending the identity token to the virtual machine based on the virtual machine information;
the virtual machine includes:
and the third binding information sending module is used for sending the binding information to the domain control server for domain authentication, and returning an authentication result to the thin terminal when the authentication is passed.
6. The apparatus according to claim 5, wherein the authentication request carries user identity information; the first binding information sending module includes:
and the first binding information sending submodule is used for responding to the authentication request, performing identity authentication on the user identity information, and sending the binding information corresponding to the user identity information to the cloud desktop authentication gateway when the authentication is passed.
7. The apparatus of claim 6, wherein the identity authentication system comprises an authentication gateway and an authentication center; the first binding information sending submodule includes:
the identity authentication unit is used for the identity authentication system to perform identity authentication on the user identity information through the authentication gateway;
and the first binding information sending unit is used for acquiring binding information corresponding to the user identity information from the authentication center through the authentication gateway when the authentication is passed, and sending the binding information to the cloud desktop authentication gateway.
8. The apparatus of claim 5, wherein the thin terminal comprises:
and the legality authentication module is used for receiving the authentication gateway digital certificate returned by the identity authentication system based on the authentication request and carrying out legality authentication on the authentication gateway digital certificate by the thin terminal.
9. An electronic device, comprising a memory and a processor, wherein the memory stores a computer program, and wherein the computer program, when executed by the processor, causes the processor to perform the steps of the cloud desktop authentication method according to any one of claims 1-4.
10. A computer-readable storage medium on which a computer program is stored, the computer program, when executed by a processor, implementing the cloud desktop authentication method of any one of claims 1-4.
CN202011373093.4A 2020-11-30 2020-11-30 Cloud desktop authentication method and device, electronic equipment and readable storage medium Active CN112291269B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011373093.4A CN112291269B (en) 2020-11-30 2020-11-30 Cloud desktop authentication method and device, electronic equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011373093.4A CN112291269B (en) 2020-11-30 2020-11-30 Cloud desktop authentication method and device, electronic equipment and readable storage medium

Publications (2)

Publication Number Publication Date
CN112291269A CN112291269A (en) 2021-01-29
CN112291269B true CN112291269B (en) 2023-03-03

Family

ID=74425959

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011373093.4A Active CN112291269B (en) 2020-11-30 2020-11-30 Cloud desktop authentication method and device, electronic equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN112291269B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113452711B (en) * 2021-06-29 2023-07-14 新华三大数据技术有限公司 Single sign-on method of cloud desktop and network equipment
CN114844663B (en) * 2022-03-02 2024-03-01 阿里巴巴(中国)有限公司 Desktop sharing method, system, storage medium and equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106060029A (en) * 2016-05-24 2016-10-26 杭州华三通信技术有限公司 Access control method and device of virtual desktop
CN107332808A (en) * 2016-04-29 2017-11-07 中兴通讯股份有限公司 A kind of method, server and the terminal of the certification of cloud desktop
CN108694065A (en) * 2017-04-10 2018-10-23 鸿富锦精密电子(天津)有限公司 virtual desktop system and virtual desktop control method
CN109873805A (en) * 2019-01-02 2019-06-11 平安科技(深圳)有限公司 Cloud desktop login method, device, equipment and storage medium based on cloud security
CN110808983A (en) * 2019-11-05 2020-02-18 西安雷风电子科技有限公司 Cloud desktop identity recognition detection method for network access of cloud desktop terminal

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8607054B2 (en) * 2010-10-15 2013-12-10 Microsoft Corporation Remote access to hosted virtual machines by enterprise users
CN106534219A (en) * 2016-12-31 2017-03-22 中国移动通信集团江苏有限公司 Security authentication method and device for desktop cloud portal
CN110765192A (en) * 2019-10-18 2020-02-07 广东省城乡规划设计研究院 GIS data management and processing method based on cloud platform

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107332808A (en) * 2016-04-29 2017-11-07 中兴通讯股份有限公司 A kind of method, server and the terminal of the certification of cloud desktop
CN106060029A (en) * 2016-05-24 2016-10-26 杭州华三通信技术有限公司 Access control method and device of virtual desktop
CN108694065A (en) * 2017-04-10 2018-10-23 鸿富锦精密电子(天津)有限公司 virtual desktop system and virtual desktop control method
CN109873805A (en) * 2019-01-02 2019-06-11 平安科技(深圳)有限公司 Cloud desktop login method, device, equipment and storage medium based on cloud security
CN110808983A (en) * 2019-11-05 2020-02-18 西安雷风电子科技有限公司 Cloud desktop identity recognition detection method for network access of cloud desktop terminal

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
虚拟云桌面认证与安全传输技术研究与实现;张国印;《中国优秀硕士学位论文全文库》;20160415;全文 *

Also Published As

Publication number Publication date
CN112291269A (en) 2021-01-29

Similar Documents

Publication Publication Date Title
US20200336310A1 (en) Coordinating access authorization across multiple systems at different mutual trust levels
US9231925B1 (en) Network authentication method for secure electronic transactions
CN107302539B (en) Electronic identity registration and authentication login method and system
CN101459513B (en) Computer and transmitting method of security information for authentication
JP5570610B2 (en) Single sign-on for remote user sessions
US20160080157A1 (en) Network authentication method for secure electronic transactions
CN106789841B (en) Service processing method, terminal, server and system
US9124571B1 (en) Network authentication method for secure user identity verification
WO2014048749A1 (en) Inter-domain single sign-on
CN112291269B (en) Cloud desktop authentication method and device, electronic equipment and readable storage medium
CN106161475B (en) Method and device for realizing user authentication
CN111669351B (en) Authentication method, service server, client and computer readable storage medium
CN105162775A (en) Logging method and device of virtual machine
CN114257430A (en) Single sign-on system
CN110351364B (en) Data storage method, device and computer readable storage medium
CN113872989B (en) SSL protocol-based authentication method, SSL protocol-based authentication device, computer equipment and storage medium
CN114760070A (en) Digital certificate issuing method, digital certificate issuing center and readable storage medium
CN117336092A (en) Client login method and device, electronic equipment and storage medium
CN111404884B (en) Secure communication method, client and non-public server
CN112448958A (en) Domain policy issuing method and device, electronic equipment and storage medium
EP2916509B1 (en) Network authentication method for secure user identity verification
JP6240102B2 (en) Authentication system, authentication key management device, authentication key management method, and authentication key management program
CN115941217B (en) Method for secure communication and related products
CN113794571A (en) Authentication method, device and medium based on dynamic password
CN112653676B (en) Identity authentication method and equipment crossing authentication system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20210525

Address after: 510663 3 building, 3, 4, 5 and J1 building, 11 building, No. 11, Ke Xiang Road, Luogang District Science City, Guangzhou, Guangdong.

Applicant after: ELECTRIC POWER Research Institute CHINA SOUTHERN POWER GRID

Address before: 510663 3 building, 3, 4, 5 and J1 building, 11 building, No. 11, Ke Xiang Road, Luogang District Science City, Guangzhou, Guangdong.

Applicant before: ELECTRIC POWER Research Institute CHINA SOUTHERN POWER GRID

Applicant before: POWER GRID TECHNOLOGY RESEARCH CENTER. CHINA SOUTHERN POWER GRID

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant